Data Security Requirements To Be Increased In US Capital

By Antonia Dumas, Esq., Associate at XPAN Law Group, LLC 

The Attorney General in District Columbia originally introduced a new data security bill last year (March 21, 2019). The Bill progressed to the Committee on Judiciary and Public Safety but, the buzz around that D.C. bill died down amidst the amendments to the California Consumer Privacy Act of 2018 (CCPA) and other emerging data privacy laws across the US. However, the start of 2020 has brought a revival of that Bill after the Committee submitted its report and a few amendments were made. The data security bill, now named Security Breach Protection Amendment Act of 2020,was passed unanimously on March 13, 2019 and transmitted to the Mayor Muriel Bowser’s desk for review and approval by March 27, 2020. 

The Intention Behind the Amendment 

Broadened Definition of Protected Information 

Like many other data privacy and breach notification laws, the Bill expands the definition of personal identifying information (PII) under the District of Columbia’s breach notification law. Under the new bill, the definition now requires that companies doing business in the District of Columbia to also protect passport numbers, military identifications, health data and genetic profiles, biometric data. The original law only protected Social Security numbers, driver’s licenses, credit card numbers, and debit card numbers.

Increased Breach Notification Requirements 

The new bill provides additional requirements for breach notifications submitted to the Office of the AG as well as affected consumers, including providing more detailed descriptions about a company’s data-protection measures to help determine whether the company employed “reasonable” cybersecurity safeguards. Notification requirements to consumers are required to be more detailed, providing information such as the categories of affected information and contact information for the entity, consumer reporting agencies, the Federal Trade Commission and the Office of the Attorney General. Requirements for notification to the Attorney General (for breaches affecting 50 or more residents) are detailed and require a sample notice to be provided to D.C. residents. 

Increased Local Enforcement Power 

Additionally, the new bill gives local authorities more enforcement powers against companies that expose customer’s sensitive data, in particular due to weak cybersecurity practices. And, it gives the AG’s office new powers to pursue penalties and fines from companies using the District of Columbia’s Consumer Protection Procedures Act. The Bill (following the trend of the Federal Trade Commission’s enforcement actions) requires companies to provide identity theft protection (free credit monitoring) for 18 months to those residents when their Social Security or Tax Identification Numbers were exposed. 

Similarities To Other Data Privacy and Security Laws 

Under most state regulations, there is a general “reasonableness” standard when evaluating compliance. In general, the various regulations require companies to develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of personal information. The personal information that is protected often applies to all different types of data, with many states broadening what is considered more damaging information that will result in liability. Typically, these regulations will require protections for social security numbers, health information, and financial information. Although, as seen in the D.C. bill, that is broadened to include account login information and biometric data, to name a few.

Often, reasonable safeguards under data privacy and security regulations include administrative, technical and physical safeguards. The D.C. Bill requires that companies “implement and maintain reasonable security safeguards, including procedures and practices that are appropriate to the nature of the personal information and the nature and size of the entity or operation.” Sec. 28-3852a(a). 

Administrative Safeguards 

Administrative safeguards usually address administrative policies, procedures and general practices for managing data privacy and security. The D.C. Bill specifies some security requirements similar to other regulations that require a security program (NY SHIELD Act) or detailed security plan (NYDFS). For example, under the NYDFS, detailed requirements include, designating a Chief Information Security Officer (CISO), enacting a comprehensive cybersecurity policy, initiating and maintaining an ongoing reporting system for cybersecurity events, and requiring an annual certification (by Chairperson of the Board of Directors or Senior Officer). 

The D.C. Bill even imposes third-party management contractual requirements when data is disclosed to third-party. It requires that the third party “implement and maintain reasonable security procedures and practices.” Sec. 28-3852a(b). These are similar to the Vendor/third-party management requirements under NY SHIELD Act and NYDFS and the contractual safeguards under the CCPA and NY SHIELD Act. 

The D.C. Bill does not establish certain proactive measures like other regulations such as: 

  • General risk assessments (NY SHIELD Act and NYDFS); or 
  • Security training (NY SHIELD Act), including cybersecurity awareness and updates as well as monitoring of employee activity (NYDFS).

Technical Safeguards 

Technical safeguards usually address access controls, data protection and storage requirements, and network and security requirements to protect the security of a company’s network and systems and data privacy. The D.C. Bill does not establish certain technical safeguards like other regulations such as: 

  • Technical risk assessments  (NY SHIELD Act, NYDFS); 
  • Regular monitoring  (NY SHIELD Act) including systems and network monitoring (NYDFS); or 
  • Regular testing (NY SHIELD Act) such as penetration and vulnerability testing of systems and network (NYDFS). 

Physical Safeguards 

Physical safeguards usually address the physical security of a company’s resources and facilities in order to protect the security of a company’s network and systems and data privacy. The D.C. Bill does not establish certain physical safeguards like other regulations, such as physical security and environmental controls under the NYDFS. However, the D.C. Bill does require reasonable steps against unauthorized access or use of personal information when destroying records or devices, similar to the requirements for addressing the risks associated with the storage and disposal or data under the NY SHIELD Ac). 

Key Takeaways 

Although the D.C. Bill does not impose such expansive requirements as some other data privacy and security regulations, companies that are in D.C. should be aware of the following requirements: 

  1. Implementing and maintaining reasonable security safeguards (taking into account administrative, technical and physical safeguards); 
  2. Ensuring your vendors are implementing and maintaining reasonable security safeguards by entering into an agreement before disclosing data; 
  3. If a breach occurs, ensure you are providing sufficient notice and including detailed information as required by the D.C. Bill; and
  4. Ensure you are providing sufficient notice to the Attorney General’s office (and sharing that notice with consumers) when required; and 
  5. Being prepared for potential remedies, such as free identity theft protection services (e.g., credit monitoring) for 18 months when Social Security or tax identification numbers are exposed. 

XPAN Law Group works with its clients to provide various cybersecurity services including assessments of current cybersecurity regulatory requirements and to work towards a more secure infrastructure. You can learn more about XPAN’s cybersecurity services here. Stay informed and be prepared! 

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.